psw704

Paul’s Security Weekly Episode #704 – July 29, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. The B Is for Business – 06:00 PM-06:45 PM

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

Description

Alyssa will discuss the growing trend of organizations implementing Business Information Security Officers. We’ll talk about how the BISO builds bridges between the security and business organizations that DevSecOps shared-responsibility culture. We’ll dive into Alyssa’s career progression and the lessons she learned along the way the prepared her for this high level leadership role.

Guest(s)

Alyssa Miller

Alyssa Miller – BISO (Business Information Security Officer) at S&P Global

@alyssam_infosec

Alyssa Miller, Business Information Security Officer (BISO) for S&P Global, directs the security strategy for the Ratings division, connecting corporate security objectives to business initiatives. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change how we look at the security of our interconnected way of life and focus attention on defending privacy and cultivating trust.
A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 15 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved security practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and other media appearances.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Cyber-Physical Attacks – 07:00 PM-07:45 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

Join Michael Welch for a discussion on the ramifications a cyber-physical attack can have on ill prepared organizations.

As a third-party expert, Michael can speak to:
• The importance of being aware of the widening attack surface due to an inter-connected world of cyber-physical security.
• The critical need to have the right solutions in place to thwart bad actors from gaining access to a physical system.
• The security considerations organizations, specifically in the healthcare and critical infrastructure sectors, should address to circumvent cyber-physical attacks.

Guest(s)

Michael Welch

Michael Welch – Managing Director at MorganFranklin

Michael Welch is responsible for supporting new business relationships and spearheading cybersecurity consulting initiatives for MorganFranklin. A leader in cybersecurity and technology with over 20 years of experience in risk management, compliance, and critical infrastructure. Mike previously served as global chief information security officer for OSI Group, a privately-owned food processing holding company that services some of the world’s best-known brands throughout 17 countries. In addition, he has worked with Burns & McDonnell, Duke Energy Corp. and Florida Power & Light, among other companies. He is an accomplished CISO, senior manager, and security consultant, leading teams of InfoSec engineers, architects, and analysts to deliver complex cybersecurity transformations.

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. PetitPotam Attack, History of RickRolling, & Foxit PDF Vulns – 08:00 PM-09:30 PM

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista!

    We are excited to announce our first round of speakers: David Kennedy, Alyssa Miller, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Kevin Johnson, and Justin Kohler!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week in the Security News: From a stolen laptop to inside the company network, the essential tool for hackers called “Discord”, fixin’ your highs, hacking DEF CON, an 11-year-old can show you how to get an RTX 30 series, broadcasting your password, to fuzz or not to fuzz, a real shooting war, evil aerobics instructors, the return of the PunkSpider, No Root for you, & more!

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. From Stolen Laptop to Inside the Company Network — Dolos Group
  2. Rickrolling: The Definitive Oral History
  3. Receiving pH Readings from a Wireless Medical Implant with RTL-SDR
  4. Using Ghidra To Extract A Router Configuration Encryption Key
  5. Kaspersky Password Manager: All your passwords are belong to us
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Discord is now an essential tool for hackers – Gaming-centric messaging platform Discord has become a favorite tool among cybercriminals, research suggests. A new report from security company Sophos says it uncovered 17,000 unique malware URLs in Discord’s content delivery network (CDN), nearly 5,000 of which are still active.
  2. Security vulnerabilities in IDEMIA access control devices could allow attackers to ‘remotely open doors’ – Three vulnerabilities (CVE-2021-35522, CVE-2021-35520, CVSS 6.2, and CVE-2021-35521) affecting biometric access control devices manufactured by IDEMIA that could be exploited by attackers to remotely execute arbitrary code, cause a DoS condition, or read/write arbitrary files on compromised devices. According to researchers from Positive Technologies.
  3. Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems – PowerShell based crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by exploiting older vulnerabilities while concurrently using various spreading mechanisms to maximize their campaigns’ efficacy.
  4. Threat actor offers Clubhouse secret database containing 3.8B phone numbers – A threat actor has reportedly posted and offered up for sale a “secret” database belonging to social audio app “Clubhouse” containing some 3.8 billion phone numbers belonging to Clubhouse users, including more than 83 billion numbers belonging to Japanese users. Information compromised in the breach is said to include victims’ user IDs, full names, usernames, Twitter handles, Instagram handles, number of followers, number of people followed by the users, accounts’ creation dates, and invited by user profile names, but no financial data.
  5. China’s New Law Requires Vendors to Report Zero-Day Bugs to Government – The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report.
  6. TikTok, Snapchat account hijacker arrested for role in Twitter hack – DOJ has announced the arrest of 22-year-old U.K. national Joseph O’Connor for his role in the 2020 Twitter hack. The criminal complaint alleges that O’Connor was also involved in taking over Snapchat and TikTok accounts.
  7. Chinese spies are exploiting routers to try hacking French targets, cyber agency says – CyberScoop – ANSSI, French National Agency for the Security of Information Systems has revealed it is now dealing with a “massive” hacking campaign being conducted by the China-linked advanced persistent threat (APT) group APT31.
  8. Average time to fix high severity vulnerabilities grows from 197 days to 246 days in 6 months: report – A research group’s analysis determined that the time required for a vendor to learn of, and then release a security update to close a vulnerability has risen from an average of 197 days to 246 days. Further, the group found that within the Utilities sector that more than 65% of their software applications contained at least one serious exploit – the worst statistic across all measured categories.
  9. Ninth Circuit limits feds’ confiscation of cellphones, laptops at points of entry: report – San Francisco’s 9th Circuit recently ruled that Border Patrol agents positioned at some U.S. checkpoints located across states that they officiate over will, by and large, require a search warrant to access a traveler’s laptop computer or cell phone without the travelers consent. Agents may only search the electronic devices for digital contraband (e.g. child pornography).
  10. BlackMatter Ransomware Claims to Be Best of REvil, DarkSide – Possible former DarkSide affiliate now associated with DarkMatter. While REvil sites were takend down in July, it’s not clear that Sodinokibi operations have ceased.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. From Stolen Laptop to Inside the Company Network – Adrian dropped this story in our SW chat, really amazing work. Should we still even bother to encrypt our hard drives then?
  2. Hacking DEF CON 29 – Reznok – Sometimes web app hacking is pretty straight forward: “What I had found was a very well known access control vulnerability known as IDOR (Insecure Direct Object Reference). To exploit this IDOR vulnerability, all an attacker needs to identify is how the order numbers are generated, which in this case was incrementally, and that no authentication is required. This exploit example is about as straight forward as web hacking gets, but even if an exploit is simple, it can still be highly impactful.” The issue was resolved with a token.
  3. Microsoft Teams now automatically blocks phishing attempts – “Safe Links is a feature in Defender for Office 365 (previously known as Office 365 Advanced Threat Protection) that provides URL scanning and “time-of-click verification” of URLs and links in email messages, groups, and other locations.” – Is this something that you should just enable as added protection? What are the limitations or potential operational risks?
  4. 11-Year-Old Finds Loophole in Newegg App to Quickly Buy PC Graphics Cards – Sometimes web app hacking is even more simple, like just using the mobile app: “However, Santana’s son discovered that Newegg’s mobile app can let you buy the hot item GPUs from the custom PC builder service individually. Go to PC builder > Build your PC > Video Cards section. You’ll see various RTX 3000 GPUs listed as out of stock. But in some cases, if you add the product to your cart, the app will do so, and let you purchase it. “
  5. Tokenvator Release 3
  6. CWE – 2021 CWE Top 25 Most Dangerous Software Weaknesses – Really cool list, and even more fun to dig into the individual CWEs, then scroll down to references. They’ve done a great job of collecting some of the definitive works that describe each type of vulnerability. For anyone starting out in infosec, this is required reading. Examples: Aleph One. “Smashing The Stack For Fun And Profit”. 1996-11-08. (http://phrack.org/issues/49/14.html), Michael Howard, David LeBlanc and John Viega. “24 Deadly Sins of Software Security”, David Litchfield, Chris Anley, John Heasman and Bill Grindlay. “The Database Hacker’s Handbook: Defending Database Servers”. Wiley. 2005-07-14, Katrina Tsipenyuk, Brian Chess and Gary McGraw. “Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors”. NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07. (https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf).
  7. Olympics Broadcaster Announces His Computer Password on Live TV – Whoops: “Turns out the password was “Booth.03″ after the number of the commentator’s booth.”
  8. Failed SSH Lockout! – Moral of the story: don’t leave SETUID files laying around owned by root. (find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename)
  9. New PetitPotam attack allows take over of Windows domains
  10. The Evolution of Security Testing – Interesting, should we be using automated fuzzing more? “Fuzzing provides a proactive approach to security testing. It is the negative or non-functional testing. It shows whether or not an application can withstand unexpected situations, and it helps uncover zero days. One way to think about (and justify) Advanced Fuzz Testing is that it is penetration testing in a machine. Like pen testing, Advanced Fuzz Testing thinks box. However, there are benefits to Advanced Fuzz Testing not found with pen testing. Unlike pen testing, Advanced Fuzz Testing is continuous, not just a point in time. It can be done at human) speed. It can be performed at machine scale, and with machine accuracy. This coverage than what a human is capable of doing.”
  11. Biden Warns Cyberattacks Could Escalate to a “Real Shooting War” – This is a really interesting statement from the POTUS: “We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognize that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.” Article 5 of the North Atlantic Treaty is: “Article 5 provides that if a NATO Ally is the victim of an armed attack, each and every other member of the Alliance will consider this act of violence as an armed attack against all members and will take the actions it deems necessary to assist the Ally attacked.”
  12. Microsoft researcher found Apple 0-day in March, didn’t report it
  13. Top Routinely Exploited Vulnerabilities – Do we just patch what is being exploited? “Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching. Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. “
  14. Hackers posed as aerobics instructors in malware attack on defense contractors – “According to researchers, the group members posed as diet and aerobics instructors on Facebook to inject malware into the devices used by an aerospace defense contractor’s employees.”
  15. Reboot of PunkSpider Tool at DEF CON Stirs Debate – So PunkSpider is like Shodan, but collects vulnerabilities in websites. Two opposing views, on one hand “Making them public might be the thing that pushes administrators to fix [these vulnerabilities].” but on the other hand: “t is needlessly calling out site insecurities without proof that companies respond accordingly and make necessary changes to protect themselves.” – Thoughts?
  16. No Root For You – So once your data is in the cloud its totally safe? “The shift to cloud computing and hardened client-side computing is not just well underway. It’s nearly complete. Until we come up with a better solution, our defense against ransomware is in the clouds. When we work in the cloud, the data is encrypted up there and down here, the client software is easy to replace, and the hardware could be anything with a screen and a keyboard. And I think I can give up root for that.” – Look, I’m not ready to give up root. But, that’s not really the point. The attackers will go after the data, whether its in the cloud or not. Let’s say, as this article proposes, that your data is stored in the cloud. Defending against ransomware attacks now means you have to secure the data in the cloud. The question for attackers is how do they steal, delete, erase and/or encrypt all of your data in the cloud? Certainly possible, we’ll probably call it ransomware 2.0 or some crap like that.
  17. Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers
  18. LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domains
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security